Will 'controlled open source' software take over election work? (NewsForge)

A *whole lot* of people (hopefully including ex-Sarasote stripper and US Senatorial candidate Katherine Harris) are gonna lose their jobs this year...

The code need not be open source, however, it would need to be made available in source form to trusted third parties (including opponents of software voting machines) for inspection and review, with no restrictions placed on the inspectors that harm their ability to report flaws to the public. Regardless of whether the code is open source or not, the third-party inspectors should verify the process for producing the binary code (possibly by running the build process themselves with the specified software development tools, and checking that the binaries match).

Open source would be nice, but it's not a necessary condition for confidence in the election, and that's the problem that vitally needs to be fixed.

Solving this problem will take a codebase that is simpler and far more verifiable then either Windows or Linux.

There's one more thing I forgot to add: with this solution, it doesn't matter whether the voting machine's software is open source or proprietary, nor whether it's made by Diebold or whoever. When you can verify the results, it's not important how you obtained them.

What have I missed?

Sammy the Enforcer hangs around outside the polls and offers you $100 to vote for Slimey Fred. He instructs you "use 8353459322 as your identifier."

The day after the election Sammy reads the newspaper and notes that voter "8353459322" voted for Honest Ellen. After breakfast Sammy stops by your house and breaks your legs.

Or Sammy reads the paper and notices that nobody used ID "8353459322" in your ward. After breakfast Sammy stops by your house and breaks your legs.

But if Sammy sees that voter "8353459322" cast a ballot for Slimey Fred he'll stop by your house and give you $100.

Isn't it simpler to just print the official, recountable, ballot, let the voter view it behind glass, and then drop it into the locked box?

Also, unless someone takes the printed paper, and counts up the number of people listed as voting for X, and the number of people the system *said* voted for X, how do you know they match?

I'm not entirely sure why people are rushing for electronic voting anyway. What's wrong with the systems currently in use?

Complicated series of steps deleted

What have I missed?

A very important point:

Joe Average's eyes will glaze over when he gets to step 2. Voting must not only be fair, it must be seen to be fair by average members of the public. A voting system is no good if only 1% of the population (computer scientists) can understand and trust it.

A simple paper ballot is easily understandable by anyone capable of voting. Recounting paper ballots is easily understandable and verifiable by anyone capable of voting.

Even if someone came up with hack-proof hardware, hack-proof software, hack-proof officials and a hack-proof voting protocol (all of which is highly unlikely), it would still not be good enough because it's too complex for the large majority of the population to understand.

I don't know why people insist on trying to mis-apply technology where it will only create new problems. There is no problem whatsoever with paper ballots; there's absolutely no need to corrupt the system with technology.

I live in Brasil. We have had voting machines in the last 12-14 years (yes, twelve to fourteen -- it depends the size of the city you are in). Brazilians here: the first election here in Belo Horizonte to use the machines were the mayoral (and city council, state representation, governor, house and senate) before FHC was elected (as I count it, 2 years + 8 years + 1 1/2 = 11,5 years). I know it, because I was "mesário" (election "table" official? election "clerk"? what is a good English translation?) in the previous election, and in the two subsequent elections). IIRC, there were electronic ballot boxes in Rio and Sao Paulo in the election before that (the only two cities larger than Belo Horizonte).

Our voting machines are mainly of three different (internally) models: (a) the old ones, that use VirtuOS (*) as the OS, (b) the new ones, that use WinCE as the OS, and (c) the newest and deprecated ones that have the second printer to print your vote, show it to you inside a clear acrilic case, and mix it with others inside the machine.

Externally, all of them look roughly the same: a box similar to the old "portable computers" of the eighties, with a 5-6" diagonal LCD and a big numerical keypad in the right side of the screen, that has, besides the 0-9 keys, "confirma" (ok), "erro" (cancel), and "branco" (white).

The electoral process (from the point of view of the voter) begins ... when you get your first job. If you are a mandatory voter (literate person with age 18 to 65) you have to go to Electoral Court and register to vote. In the process of registering, you receive the "Título de Eleitor" (voter id card), in which you have the number of you voting section. To change jobs, and specially to get a government job, you have to prove you are a registered and regularized voter (you voted in the last election, or regularized your voting situation after it).

In the election day -- normally the first Sunday of October for the first round and the first Sunday of November in case of needing a second round (**), you scan the newspapers (or the Superior Electoral Court website), search for the address of your section, and go there. No, there is no transit (absentee) vote, you can only vote at that address. If you can't get there, you'll have to "justify" your absence to an Electoral Judge, to regularize your voting situation.

At the section, you will present your voter id card to one the "mesários", and if you don't have it on you, you can still vote (you can show other valid id), but will be delayed. The mesário will search for your name in the vote-ticket sheet, and annex it to your id while you vote. You will sign a receipt in a sheet, and proceed to the voting "booth". Another "mesário" will type your voter id # in a remotely connected keypad, setting the machine in the "ready to vote" mode.

The voting "booth" is really only a desk with the voting machine over it, facing nobody else in the room, and sometimes with a cardboard "cover" around it. You will "dial" the numbers of the candidates, in order. when you dial all the digits of one candidate, a star-trek-like chime rings, his/her face will show up in the screen, and if you digited it right, you hit "ok". otherwise, you hit "cancel" and start over. After typing all the candidates, you hit "ok" one last time, the machine chimes again, and goes to "stand by" mode. You have voted. If you don't want to vote for nobody for some office, you can hit "white" instead of the candidate ## (accounted as a "white vote", or "none of the above" -- this is the equivalent of putting your paper ballot in the box without marking anything), or if you really want to protest you can type 9999 or other non-existent-candidate-#, and your vote will be accounted as a "null vote", or "I'm really pissed of" (the equivalent of drawing pictures or writing "improper expletives" in a paper ballot)

Then, you get your id back, your ticket (keep it together with your voter id!! -- it's the proof that you are a regularized voter!), and you go home. Ah, bars do not open (theoretically) in the election day, so hope you have bought your beer/wine/other-booze in the day before).

From the point of view of election officials, things are more complicated. The machines arrive to the Electoral Judge (yes, a Judge of Law) pre-prepared one to two months before the election day, along with boxes of diskettes (where the results will go) and Flash ROM cards (where the software and the candidates names/photos will go). All Electoral Judge Offices already have Flash readers, to make some verifications on this Flash ROMs.

The electoral Judge has the personal responsability of, in the meantime before the election day, testing *ALL* of the machines and checking their Flashes with some checking software. He has to set the clock to the election opening date/time, emit the "zerésima" (0th report), that is a report saying "this box has no votes on it", make some votes, close the box, emit the totalling report, check if those were the votes, repeat the procedure a random number of times, and sign the machine as "ok" in a list. He should do it in a way that prevents "date/time" hacks, "number of activation times" hacks to be done. Some machines even get tested for a full day, to test for "number of votes" hacks. He can delegate some of the work, but it's his responsability -- he better delegate it to trusted people, in case of fraud it's his neck on the line.

In the evening of the election day, he must make sure the clocks are ok for all of the machines.

In the election day, the "mesários" in each section must emit the 0th report, annex it to the official election papers, and the box is ready to be used. At the end of the election day, the "mesários" emit 6 or more copies of the totalling report for each box. Three of them go with the official election papers, one is affixed in the outside of the section, and the others go to party appointed officials. Some electoral judges appoint press members to receive them, too.

The totalling is already in a diskette, that is inside a sealed compartment in the box. Some Electoral Judge Office employee breaks this seal (marking he's done so), and the diskettes are read in a computer in the Office, their contents (probably signed cryptographically) sent (directly by a dial-up line, not over the Internet) to the Regional Electoral Court, where they are processed against all other ballot boxes.

I should say, at this point, that all of this is accompanied by the Electoral Judge and the District Attorney, which are not elected officials in Brasil, and the elected officials have no power over them. Or at least, should not have.

The press and the parties' officials all have the intermediate per-box results, immediately after the election closed, so they can do the math, too. And they do -- in small towns the result of the mayoral elections is usually known far before the official announcement, because people sum the per-box results by hand, instead of waiting for the Big Computer at the Regional Court add for them.

Quoting (mis-quoting?) Gangs of New York, "ballots do not win elections -- counting does!", the counting/summing part is verifiable.

At this point, I should say I consider our system very very reliable, because of the distributed nature of the checkings that are done in the machines. I have worked at a District Attorney's office, and the fiscalization of the procedures to be done to the machine by the Electoral Judge was partly delegated to me, so I know what I'm talking about. The Judges and their guys usually fiddle with the clock, make a lot of votes, and thoroughly check the machines before they are used. This is taken very seriously.

Even in the few instances where it's not done so seriously, the overall bad effect is not great. Yes, it should be relatively easy to rig a mayoral election in a small town (100 machines or less -- each machine in the range from 500-10000 voters) -- but just with the DA's and the Judge's help. And they usually won't help, normally they have nothing in it for them, and the risk is very big [election fraud penalties are reasonably high]). But I think impossible the effort to rig, p.ex., an election like our last presidential one -- and, to boot, won by the opposition party.

You must notice that this is only allowed by our unified electoral system. The voter database is also a single one and it's very difficult to vote twice or more in our system.

I think the electronic system is better than the paper-ballots one (at least here in Brasil, but probably everywere) because counting ballot papers is hard, slow, error- and fraud-prone and no-one wants to recount them. It's easier, in my opinion, to rig some pre-printed million paper ballots and distribute them in a lot of ballot boxes than to distribute a million swing votes in 1000 machines.

I think the snafu in the last USofA election is really due to few people watching the counts, etc. Our multi-party (c. 20-30 parties now, but there were 50 at some point in the 90's) system makes every count/recount have at least 100 party officials doing the same. The voting machines were reasonably scrutinized by party-appointed experts.

Yes, paper trail (now deprecated here) is good, but only if you have a good, OCR-like way of counting the paper ballots. This is expensive. Our paper-trail machines had a second (thermal?) printer, that printed your vote and displayed it inside a clear plastic case before it was dropped in a box inside the machine, all sealed. But... as I said before, who is gonna recount them? It's easier to trust the distributed nature of the election and the audits made by the parties officials. If the paper trail were made in big, OCR-able letters, or with some bar-code, the tickets would have to be fixed-size, bigger than they were, and more expensive, in general.

Finally, yes, I would like the boxes to be all-free-software, so every citizen could independently verify the reliability of them, and even to check criptographically in some sense that the voting box he is using is "pristine", if possible, but... we did not get there yet.

(*) a DOS-clone-enhanced with possibility of multitasking and multiuser operation. a nice system, and it was always far better than MS-DOS.

(**) we have many political parties, so for the majority-vote offices (normally executive ones), if a candidate does not win 50%+1 of the valid votes, another electoral round is made with only the two most-voted candidates.